• Heartland, Visa Announce $60 Million Settlement
o Heartland Breach Shows Why Compliance Is Not Enough
o Data Losses to Incur Fines of Up to £500,000
o The 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach
• France Ponders Right-To-Forget Law
• 10 Tips for Becoming a Smarter, Social Business Person
• Swiss Court Declares Transfers of Banking Data to U.S. Authorities Illegal
• Court Compares Parties' Clickwrap Contents, Process In Rejecting Unconscionability Claim
• Judge Heaps E-Discovery Costs on Plaintiff
• French Court Strikes Down Another SOX Whistleblower Program
• U.S. Law Firm That Sued China Reports Cyberattack
o US Oil Industry Hit By Cyberattacks: Was China Involved?
• Bar Exam Prep Via an iPhone App
• California CIO: Open Source Officially Welcome Here
• Authenticating Web Pages as Evidence
• Learning To Love That Roommate from Hell
• Blogs, YouTube Prompt Campaign Finance Ruling
• You've Been Served
• Legal Sites Plan Revamps as Rivals Undercut Price
• Courts In Maryland, New Jersey, Florida Declare Mistrials After Juror Internet Research
• Sign of the Times: Clorox Seeks Lawyer for Social Media Issues
o Company Requires 'Tweet' as Part of Law Firms' RFP Response
o Social Networking: A Workplace Policy
• Hitting Pause on Class Videos
• E-Filing: Then and Now
• No Access for the Axis: SourceForge Bows to Government Demands
o Cloud Computing and US Export Control Rules
• A Little ‘i’ to Teach About Online Privacy
• Alaska Superior Court Judge Sides With State, Palin In E-Mail Lawsuit
o Michigan State Court Rules that Government Officials' Personal E-Mails Aren't Subject to FOIA
• S.E.C. Adds Climate Risk to Disclosure List
• Connecticut AG the First to File HIPAA Suit
NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES
Heartland, Visa Announce $60 Million Settlement (BankInfoSecurity, 8 Jan 2010) - Heartland Payment Systems announced today that it will pay Visa-branded credit and debit card issuers up to $60 million to cover losses incurred from the Heartland data breach. It is the largest known settlement amount ever paid to Visa as a result of a breach, eclipsing the TJX settlement of $40.9 million in November 2007. In a statement, Heartland and Visa say the $60 million payment will be subject to certain conditions, including a specified level of participation by Visa issuers. Visa says it will provide issuers details in the coming days. The data breach involved an estimated 130 million credit and debit cards, although not all of them were Visa branded. This settlement with Visa is far larger than Heartland’s $3.6 million settlement with American Express, which was announced in December. http://www.bankinfosecurity.com/articles.php?art_id=2054
- and -
Heartland Breach Shows Why Compliance Is Not Enough (ComputerWorld, 6 Jan 2010) - Nearly a year after Heartland Payment Systems Inc. disclosed what turned out to be the biggest breach involving payment card data, the incident remains a potent example of how compliance with industry standards is no guarantee of security. Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had broken into its systems and stolen data on what was later revealed to be a staggering 130 million credit and debit cards. That number easily eclipsed the 94 million cards that were compromised in the massive breach disclosed by TJX Companies Inc. in 2007. However, it wasn’t just the scope of the Heartland breach that made it remarkable, but also the company’s insistence that it was certified as fully compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) when it was compromised. http://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough?taxonomyId=142
- and -
Data Losses to Incur Fines of Up to £500,000 (BBC, 12 Jan 2010) - The Information Commissioner’s Office will be able to issue fines of up to £500,000 for serious data security breaches. The new rule is expected to come into force in the UK on 6 April 2010. It has been approved by Jack Straw MP, Secretary of State for Justice. The size of the fine will be determined after an investigation to assess the gravity of the breach. Other factors will include the size and finances of the organisation at fault. Individual cases will also be assessed on whether the breach was accidental or deliberate, and how much distress the leak of information caused. There have been several high profile data losses in recent years from large organisations including the Ministry of Defence and the DVLA (Driver and Vehicle Licensing Agency). In an official press statement, Information Commissioner, Christopher Graham said he hoped the penalty would encourage companies to comply more closely with the Data Protection Act. http://news.bbc.co.uk/2/hi/technology/8455123.stm
- and -
The 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach (January 26, 2010) - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors.” http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf [Extremely important annual study, this year with some new findings: e.g., companies that notify victims too quickly incur greater costs; using external consultants to help with breach-response lowers costs significantly; first-timers’ breach costs are higher than those who’ve gone thru earlier responses; pharma/medical companies lose more customers because of breaches]
France Ponders Right-To-Forget Law (BBC, 8 January 2010) - From Britney Spears’s musings to the Tiger Woods scandal, information can take a life of its own once it hits the world wide web. B-list celebs and brand-names bustling for public attention can be particularly vulnerable to people with a gripe against them. The impact of all those online revelations has made France consider the length of time that personal information should remain available in the public arena. A proposed law in the country would give net users the option to have old data about themselves deleted. This right-to-forget would force online and mobile firms to dispose of e-mails and text messages after an agreed length of time or on the request of the individual concerned. http://news.bbc.co.uk/2/hi/programmes/click_online/8447742.stm
10 Tips for Becoming a Smarter, Social Business Person (GigaOm, 10 Jan 2010) - The web is filled with social networks: We have Twitter for meeting new people, Facebook for old college buddies, and Bebo for those of us who don’t want to hang out with the mainstream. Those social networks are rarely viewed as corporate services — they’re relaxing at the end of a long workday, not playgrounds for more business activity. But I would argue that social networks provide value to a business person on several levels, whether it be for those furiously working each day in a cubicle or for others closing big deals on the golf course. Social networks can help make you a smarter business person, and there’s a lot of corporate value to be found in them. (Did you know that Dell has made over $6 million from Twitter alone?) It’s time to exploit them for your business, and here’s how * * * http://gigaom.com/2010/01/10/10-tips-for-becoming-a-smarter-social-business-person/
Swiss Court Declares Transfers of Banking Data to U.S. Authorities Illegal (Hunton & Williams, 11 Jan 2010) - On January 8, 2010, the Swiss Federal Administrative Court (“Bundesverwaltungsgericht”) published a decision that declared the transfer of banking data to U.S. law enforcement authorities by the Swiss bank UBS to be illegal. In late 2009, UBS transferred the data of over 300 customers suspected of evading U.S. taxes to the U.S. Department of Justice and Internal Revenue Service following an order issued by the Swiss Financial Market Supervisory Authority (“Finma”) pursuant to an agreement Finma reached with the U.S. authorities. In its decision, dated January 5, the Court found that Finma overstepped its legal authority in ordering the data transfer. Although strictly speaking the Court’s decision was based on Swiss constitutional, administrative and banking secrecy law, rather than data protection law, the decision contains extensive discussion about the fact that the data transfer significantly impaired the customers’ privacy rights as guaranteed by the Swiss constitution and by human rights instruments to which Switzerland is a party. The Swiss government reportedly is considering whether to appeal the decision to the Swiss Supreme Court, and the decision could have important implications for demonstrating the legal difficulties of transferring personal data from Europe to U.S. law enforcement authorities. Lawyers acting for some of the defendants were also reportedly preparing to file criminal charges against UBS executives and Finma employees for transferring the data illegally. http://www.huntonprivacyblog.com/2010/01/articles/information-security/swiss-court-declares-transfers-of-banking-data-to-us-authorities-illegal/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PrivacyInformationSecurityLawBlog+%28Privacy+%26+Information+Security+Law+Blog%29&utm_content=Google+Reader
Court Compares Parties’ Clickwrap Contents, Process In Rejecting Unconscionability Claim (BNA’s Internet Law News, 14 Jan 2010) – BNA’s Electronic Commerce & Law Report reports that the U.S. District Court for the Southern District of Indiana held Dec. 22 that clickwrap terms of service, which an appliance company employee clicked to accept when signing up for an online advertising program, formed a binding agreement, rejecting a procedural unconscionability challenge. Case name is Appliance Zone LLC v. NexTag Inc.
Judge Heaps E-Discovery Costs on Plaintiff (Law.com, 14 Jan 2010) - In an action that electronic discovery experts say may signal a sea change in how legal costs are apportioned after trial, a federal judge in Atlanta has ordered the losing company in a patent infringement action to pay more than $268,000 in costs to its opponents for the services of a computer consultant hired to fulfill broad discovery demands. In a Dec. 30 order, U.S. District Judge Thomas W. Thrash Jr. derided the patent infringement case that Cordele, Ga.-based software company CBT Flint Partners filed in 2007 against California company Cisco IronPort Systems (part of technology giant Cisco Systems) as well as the tactics of CBT’s counsel at Atlanta’s King & Spalding. Thrash stopped short of awarding legal fees in the case, however. Cisco IronPort had requested legal fees of more than $1.2 million and its co-defendant, Return Path, an international e-mail and internet technology vendor, had requested $590,000. Both prevailed in the litigation. In his order, Thrash called CBT’s patent infringement claims “objectively baseless” but found that, “although CBT and counsel exercised poor legal judgment in pursuing this action, there is not clear and convincing evidence that the pre-filing investigation was so pathetic as [to] justify an inference of bad faith.” http://www.law.com/jsp/article.jsp?id=1202437930333&rss=newswire&hbxlogin=1
French Court Strikes Down Another SOX Whistleblower Program (Steptoe & Johnson’s E-Commerce Law Week, 14 Jan 2010) - France’s highest court of appeals has ruled that multinational company Dassault Systèmes violated the law by instituting a whistleblower system that included uses not authorized by France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), and by not notifying employees of their right to access, correct, and object to data collected about them. Dassault, which is listed on the New York Stock Exchange, had adopted its whistleblowing system to comply with the U.S. Sarbanes-Oxley Act (SOX), but extended the reporting requirements beyond financial issues without gaining CNIL’s explicit authorization. The court also found that the company’s requirement that employees obtain permission before using company information violated employees’ free speech rights. http://www.steptoe.com/publications-6567.html
U.S. Law Firm That Sued China Reports Cyberattack (Law.com 15 Jan 2010) - A Los Angeles law firm that recently filed a $2.2 billion copyright infringement suit against the People’s Republic of China said that it has become the target of cyberattacks originating in China. “I was the first one to get one of these e-mails,” said Gregory Fayer, a lawyer at Gipson Hoffman & Pancione, which began receiving unsolicited e-mails on its firm computers on Monday. “Something about it didn’t seem right. It didn’t seem quite in the manner in which the person who was supposedly sending it to me would put something, and so I called up the other attorney and said: ‘Did you just send me an e-mail?’ That person said, ‘No.’ That’s how we discovered the first one.” Fayer, who is handling the suit, could not say whether the attacks on the firm were related to it but noted, “It is difficult to believe that the timing is merely coincidental.” The e-mails came the same week that Google Inc. declared that it would stop complying with Chinese censorship requirements for the Internet following reports that several of its computer systems had drawn cyberattacks believed to originate in China. Some of the attacks were aimed at Chinese human rights activists’ Gmail accounts. The firm has contacted the FBI and U.S. Rep. Anna Eshoo, D-Calif., a senior member of the House Permanent Select Committee on Intelligence, who on Tuesday urged companies to come forward about suspected cyberattacks in light of the Google revelation. Fayer said that he and his colleagues already were on “high alert” when the firm filed a $2.2 billion copyright infringement suit on Jan. 5 on behalf of a software firm in Santa Barbara, Calif., against the Chinese government, two Chinese software makers and seven major computer manufacturers that helped distribute Green Dam Youth Escort software. http://www.law.com/jsp/article.jsp?id=1202438338267&rss=newswire&hbxlogin=1 [Editor: GhostNet compromised other US law firms’ files—possibly comprehensively—in early 2009; clients apparently were not informed. The FBI finally issued a warning in early November: http://files.knowconnect.com/public/cyber_advisory.pdf]
- and -
US Oil Industry Hit By Cyberattacks: Was China Involved? (Christian Science Monitor, 25 Jan 2010) - At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show. The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show. The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says. What these guys [corporate officials] don’t realize, because nobody tells them, is that a major foreign intelligence agency has taken control of major portions of their network,” says the source familiar with the attacks. “You can’t get rid of this attacker very easily. It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.” http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved [I worked in this sector; we saw national governments trying to access oil field reservoir data back in the 1990s.]
Bar Exam Prep Via an iPhone App (LawSites, 18 Jan 2010) - At $999, it is the most expensive app available for the iPhone. But this one may actually be worth it, as TechCrunch reports. Called BarMax CA, it is a full-fledged preparation course for the California bar exam, offered entirely on the iPhone, at a third to a quarter less than the price of a BarBri course. The app was the brainchild of Mike Ghaffary, a graduate of both Harvard Law School and Harvard Business School. He pulled together a team of Harvard law grads to create the app. What does the app offer? A lot, says TechCrunch: “The app is over 1 gigabyte in size, which is the largest application I’ve ever seen. It includes thousands of pages of materials as well as hundreds of hours of audio lectures. It’s all the information you could ever want for the two-month course. And again, it can be done all on your iPhone. That said, if you do want some more tangible paperwork for certain sections, BarMax will send you that electronically as well.” By the end of the year, the company plans to add bar-exam apps for New York and five other states. It may also offer a version for just the multi-state for $500. http://www.legaline.com/2010/01/bar-exam-prep-via-iphone-app.html
California CIO: Open Source Officially Welcome Here (ArsTechnica, 20 Jan 2010) - The Chief Information Officer (CIO) of the state of California has issued an IT policy letter to formally affirm that open source software is acceptable for use by government agencies in California. As the state lies crushed beneath the burden of an unprecedented $20 billion deficit, government officials are looking for ways to cut spending and manage infrastructure more efficiently. Reducing vendor lock-in and giving more consideration to free and open source software could help the state improve its financial health. The same dynamic is also true at the national level. Last year, the national governments of Canada and the UK both began formulating open source IT strategies. The US Department of Defense, which has a history of open source advocacy, issued a memo last year highlighting the advantages of open source adoption. http://arstechnica.com/open-source/news/2010/01/california-cio-issues-it-policy-letter-about-open-source.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
Authenticating Web Pages as Evidence (Law.com, 21 Jan 2010) - Plaintiff sues your client, claiming that his injuries have significantly affected his lifestyle. He is unable to work, travel or bowl. Not surprisingly, his spouse alleges loss of consortium. On the eve of trial, you discover pictures and other details on a social networking website about plaintiff’s recent trip to the International Bowling Museum & Hall of Fame, including a picture of plaintiff proudly holding a fluorescent orange bowling ball and a four-foot tall gilded trophy dated four days earlier. As you approach the witness with printouts of the web pages, you are stopped in your tracks: “Objection, lack of foundation.” It is now routine for litigators to conduct internet research to work up a case. Indeed, for many litigators, one of the first things they do is see what is available about the opposing party, searching Google, social networking sites like Twitter, MySpace and Facebook, and the party’s personal websites. During the life of any case, there will likely be valuable information obtained from the internet that will be used at deposition or trial. Commonly, the proponent of online evidence will present a screen shot of the web page, which was either downloaded as a .pdf or printed directly from the website. The process is like taking a photograph of the image as it appears on the monitor. In general, this captures not only the look, but also the download date and the URL. If proper steps are not taken to admit the evidence, the value of this information may be lost. [Editor: article continues usefully.] http://www.law.com/jsp/article.jsp?id=1202439301020&rss=newswire
Learning To Love That Roommate from Hell (Steptoe & Johnson’s E-Commerce Law Week, 21 Jan 2010) - Back when it was decided, the Ninth Circuit’s en banc decision in Fair Housing Council of San Fernando Valley v. Roommates.com, LLC struck fear in the hearts of website operators who depend on user-generated content because it seemed to open a gaping hole in the immunity shield provided by section 230 of the Communications Decency Act (47 U.S.C. § 230(c)(1)) (CDA). As we’ve previously reported, the Ninth Circuit held that Roommates.com forfeited its CDA immunity when it “encourag[ed] illegal content” by offering users limited content options via drop-down menus as a precondition for using the service. But since then, most courts have interpreted Roommates.com narrowly, thus assuaging some of the concern that the section 230 aegis would be reduced to tatters. The Fourth Circuit recently continued that trend in Nemet Chevrolet Ltd., et al., v Consumeraffairs.com, Incorporated, rejecting claims that a website acted as an “information content provider” -- and thereby lost its immunity -- by soliciting, revising, and categorizing consumer complaints in order to “attract attention by consumer class action lawyers.” http://www.steptoe.com/publications-6580.html
Blogs, YouTube Prompt Campaign Finance Ruling (CNET, 21 Jan 2010) - The U.S. Supreme Court’s sweeping ruling on Thursday that invalidated large chunks of campaign finance law arose in part from an unlikely source: the emergence of Facebook, YouTube, and blogs, and the decline of traditional media outlets. A 5-4 majority concluded that technological changes have chipped away at the justification for a law that allows individuals to create a blog with opinions about a political candidate--but threatens the ACLU, the National Rifle Association, a labor union, or a corporation with felony charges if they do the same. The now-invalidated law “would seem to ban a blog post expressly advocating the election or defeat of a candidate if that blog were created with corporate funds,” Justice Anthony Kennedy wrote in the majority opinion (PDF). “The First Amendment does not permit Congress to make these categorical distinctions based on the corporate identity of the speaker and the content of the political speech.” Eugene Volokh, a law professor at UCLA, called it the “first appearance” of the word “blog” in a Supreme Court opinion. And Google’s video-sharing site is singled out in the conclusion, with Kennedy writing that “skits on YouTube.com” that cast politicians in an unflattering light could give rise to “felony” charges if a corporation dared to post them. Kennedy added: “Rapid changes in technology--and the creative dynamic inherent in the concept of free expression--counsel against upholding a law that restricts political speech in certain media or by certain speakers. Today, 30-second television ads may be the most effective way to convey a political message. Soon, however, it may be that Internet sources, such as blogs and social-networking Web sites, will provide citizens with significant information about political candidates and issues.” http://news.cnet.com/8301-13578_3-10439023-38.html
You’ve Been Served (Tech Bankruptcy blog, 22 Jan 2010) - BBC News reported a couple of months ago about a British court allowing service of a court order using Twitter. Twitter is, for those who do not yet know, an on-line network allowing users to post short messages that are then broadcast to a list of subscribers. In the particular case, a political blogger named Donal Blarney sought an order enjoining another user of the Twitter service. Because the target of the court injunction had not yet actually been identified, the court allowed the injunction to be served via a posting on Twitter. The posting gave notice of the court order and, because twitter postings are very limited in length, contained a link to the order itself. Apparently, according to a story in The Register, the tactic succeeded. The malefactor did in fact receive the notice of the order and agreed to comply with the order. Would similar tactics work in the U.S. Bankruptcy Court? Perhaps in limited circumstances. Fed. R. Civ. P. 5(b)(2)(D) and Fed. R. Bankr. P. 7005 allow service by “electronic means” when the recipient has previously consented in writing. Service is effective on transmission. This rule was designed to allow service by e-mail through the ECF system, but there really is no reason why other means could not be used as well. The catch is, of course, getting that advance written consent. http://tech-bankruptcy.blogspot.com/2010/01/youve-been-served.html
Legal Sites Plan Revamps as Rivals Undercut Price (New York Times, 24 Jan 2010) - Westlaw and LexisNexis, the dominant services in the market for computerized legal research, will undergo sweeping changes in a bid to make it easier and faster for lawyers to find the documents they need. Lawyers and researchers paying to go online to find court cases and other legal documents should find better-looking interfaces, more relevant search results and new tools for document-sharing and other collaboration. The changes to the research services are a reaction by Westlaw and LexisNexis to lower-priced — sometimes free — rivals and arrive at a time when law firms are working to cut overhead. The two companies also want to cater to a younger generation of lawyers accustomed to slick Web services and the search interfaces presented by companies like Google and Microsoft. Westlaw will introduce its changes on Feb. 1; LexisNexis has yet to specify a date. Because of advances in computing power and computer science, lawyers can now search all the databases in a given jurisdiction, rather than having to hand-select the pools of information they believe might be relevant to a given case. Most important, according to Mr. Dahn, the WestlawNext service has a revamped search system that allows lawyers to type in general requests, as they might on Google, rather than their typical narrow searches. The search system also relies on algorithms to find documents related to a case that the lawyers may not have thought they needed. http://www.nytimes.com/2010/01/25/technology/25westlaw.html?ref=business
Courts In Maryland, New Jersey, Florida Declare Mistrials After Juror Internet Research (Citizen Media Law Project, 25 Jan 2010) - Appeals courts in Maryland and New Jersey appear to be the first to reverse jury verdicts because of social media use by jurors during trial. http://www.citmedialaw.org/blog/2010/courts-maryland-new-jersey-florida-declare-mistrials-after-juror-internet-research?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+CitizenMediaLawProject+(Citizen+Media+Law+Project)
Sign of the Times: Clorox Seeks Lawyer for Social Media Issues (ABA Journal, 25 Jan 2010) - Clorox is hiring an in-house lawyer to focus on legal issues surrounding social media. The company’s ad for a social media legal expert is “rather surprising,” but it’s a sign of the times, Advertising Age reports. Many companies already use social media to promote their products, and Clorox is no exception, Advertising Age says. The company has Facebook fan pages for Clorox and Brita, uses Twitter to solicit product ideas, and solicits reader feedback on its new blog Understanding Bleach. A job description posted at JDHunter.com says the new hire at Clorox will be expected to provide legal counsel on managing and securing advertising content “especially as it relates to social media and other Web 2.0 executions, TV and radio.” Among other things, the new lawyer will be expected to draft celebrity talent contracts that apply across multimedia platforms, advise on music and video licensing across platforms, and advise on the application of privacy laws to the collection of consumers’ information. Advertising Age interviewed Jack Greiner, an attorney with Cincinnati’s Graydon Head & Ritchey who listed social media as a specialty on LinkedIn. He said the in-house lawyer may want to tackle the issue of how Clorox employees talk about the company and its products on social media by writing a policy establishing the ground rules. The new lawyer would also be wise to counsel against unwise moves that could be used by competitors to gain attention, he said. As an example, he cites the infringement suit filed by The North Face against a clothing upstart called The South Butt. In the end, he said, The North Face became the butt of South Butt’s joke. http://www.abajournal.com/mobile/article/sign_of_the_times_clorox_seeks_lawyer_for_social_media_issues [Editor: I gave a presentation on this on 12 January; key lesson: be careful of issuing policies that over-restrict use of social media, and of lawyers’ natural, too-conservative tendencies. PowerPoint presentation here: http://www.knowconnect.com/policies/cat/e_policy_presentations]
- and -
Company Requires ‘Tweet’ as Part of Law Firms’ RFP Response (Law.com, 21 Jan 2010) - In a post yesterday, Larry Bodine’s LawMarketing Blog gave us an update on an interesting RFP issued last year by a company called FMC Technologies. The beauty contest is now down to the final cut. Not only did FMC post the RFP on Legal OnRamp, an online social network for in-house lawyers, it also required interested law firms to “state in a Tweet on Twitter (140 character limit) why FMC should hire the law firm.” Keep in mind that this all occurred in May 2009, when Twitter was even more of a mystery to law firms than it is today. Fifty law firms downloaded the two-page RFP, but as Corporate Counsel reporter Amy Miller wrote last June, BigLaw was generally reluctant to participate. Bodine reports that the following eight firms tweeted and made the final cut:
• Beirne, Maynard & Parsons
• The Law Offices of Tom Fulkerson
• Littler Mendelson
• Seyfarth Shaw
• Summit Law Group
• Sutherland Asbill & Brennan
• Valorem Law Group
• Womble Carlyle Sandridge & Rice
FMC’s general counsel, Jeffrey Carr, is on the board of the Association of Corporate Counsel, and has strong views on the existing model for legal service delivery. He views it as unsustainable and states that it is “antiquated, inefficient and ineffective and it fails to deliver value to the client by avoiding -- indeed by punishing -- those that leverage prior work product, streamline processes and focus on profitability by cost reduction as opposed to top line revenue growth.” Carr says he employed this type of digital/social RFP because he was seeking tech-savvy firms that offered alternative fees and online billing. http://legalblogwatch.typepad.com/legal_blog_watch/2010/01/twitter-required-company-requires-tweet-as-part-of-law-firms-rfp-response.html?utm_source=twitterfeed&utm_medium=twitter
- and -
Social Networking: A Workplace Policy (Law.com, 22 Jan 2010) - The first part of this article addressed issues surrounding the effect of the internet on hiring and firing in the 21st Century. This article discusses the laws that impact social networking in the workplace and provides guidance on developing a social networking and blogging policy. Many states have enacted off-duty conduct statutes, which prohibit an employer from disciplining an employee for engaging in lawful conduct while away from the employer’s premises. These states include, most notably, California, Colorado and New York. However, these statutes also provide exceptions that allow employers to limit otherwise lawful, off-duty conduct where it creates a material conflict of interest for the employer or is reasonably related to the employee’s job. For example, the New York statute allows an employer to discharge an employee for off-duty conduct that creates a material conflict of interest related to trade secrets, proprietary information, or some other business interest. http://www.law.com/jsp/article.jsp?id=1202439369681&rss=newswire [Editor: much more here.]
Hitting Pause on Class Videos (InsideHigherEd, 26 Jan 2010) - In the latest clash of copyright law and instructional technology, the University of California at Los Angeles has stopping allowing faculty members to post copyrighted videos on their course Web sites after coming under fire from an educational media trade group. The policy, enacted earlier this month, has been planned since last fall, when the Association for Information and Media Equipment — a group that protects the copyrights of education media companies — charged the university with violating copyright laws by posting the videos to the password-protected course Web pages without the proper permissions. Copyright law does include exemptions for professors who wish to use audiovisual media “in the course of face-to-face teaching activities of a nonprofit educational institution, in a classroom or similar place devoted to instruction” — so long as the professor is not showing media that he or she knows has been made illegally. The university said streaming the video on a password-protected Web site, where only students who are registered members of the class can access it, satisfies these criteria. But the trade group is arguing that a password-protected space on the Web is not a classroom. “The face-to-face teaching exemption allows a video to be played in class, not streamed to the classroom from a remote location,” Dohra said in an e-mail. “As to the fair use claim, when videos are streamed to students outside the classroom, password protection may limit access to some degree. However, requiring a password doesn’t make an infringement fair use.” http://www.insidehighered.com/news/2010/01/26/copyright
E-Filing: Then and Now (New York Law Journal, 26 Jan 2010) - Over the past decade, we have witnessed a technological revolution that has fundamentally changed our lives. We now routinely check the internet for news updates and shop online, not to mention social networking and tweets. Even in the staid and traditional world of justice, we are affected by this revolution. A little over 10 years ago the New York state Legislature enacted Chapter 367 of the Laws of 1999, which created a pilot program to test electronic filing (“e-filing”) in certain civil cases. When the New York State Courts Electronic Filing System was introduced in 1999, only one case was e-filed all year. Ten years later, e-filing by New York’s legal community has increased exponentially. Since 2002, the number of attorneys registered to e-file their cases has grown from 300 to over 13,000 currently registered. As of the end of 2009, over 200,000 cases and over 500,000 documents have been e-filed with the system. After 10 years of acceptance and growth, electronic filing in the state courts significantly advanced with the enactment of Chapter 416 of the Laws of 2009, effective Sept. 1, 2009. With this new legislation, electronic filing now has a permanent place in New York’s legal system. The legislation makes three important changes to New York’s e-filing program. http://www.law.com/jsp/article.jsp?id=1202439497847&rss=newswire
No Access for the Axis: SourceForge Bows to Government Demands (ReadWriteWeb, 26 Jan 2010) – SourceForge one of the primary distribution hubs of the open source software movement, has shut its doors to visitors from a number of countries, saying that it is working to be in compliance with existing U.S. laws. In a blog post yesterday, the site responded to rumors around the Twittersphere that various users from outside the U.S. were now unable to access the site. The open source movement has always been community based, working outside of standard boundaries and borders, and some see this as going against those basic tenets. Here is the reasoning for the move in SourceForge’s own words: Since 2003, the SourceForge.net Terms and Conditions of Use have prohibited certain persons from receiving services pursuant to U.S. laws, including, without limitations, the Denied Persons List and the Entity List, and other lists issued by the U.S. Department of Commerce, Bureau of Industry and Security. The specific list of sanctions that affect our users concern the transfer and export of certain technology to foreign persons and governments on the sanctions list. The site began using automatic IP blocking last week and users from a number of countries, including Cuba, Iran, North Korea, Sudan, and Syria, are now unable to access the site. While some are calling foul and declaring the premature death of the open source movement, we have to assume that the technologically savvy users accessing the site would know how to get around a simple IP-based filter. Whether using a tool like Tor or a proxy service like HotSpot Shield, it can’t be all that difficult to access the site. http://www.readwriteweb.com/archives/no_access_for_the_axis.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+readwriteweb+(ReadWriteWeb)
- and -
Cloud Computing and US Export Control Rules (Roland Trope, 26 Jan 2010) - Enterprises are giving increasing consideration to the promised benefits of renting storage, processing, and applications hosted beyond their premises on third party servers that can be accessed wirelessly (i.e., “cloud computing”). However, there are growing concerns that companies and professionals (e.g., lawyers, doctors, engineers, accountants) may not understand the inherent risks of entrusting sensitive data to the “cloud.” One risk is that enterprises responsible for export-controlled data (i.e., data subject to the “dual-use” controls of the Export Administration Regulations (EAR), or the defense article controls of the International Traffic in Arms Regulations (ITAR)) will belatedly learn that the data they released to the “cloud” has been transferred by the cloud service provider from servers located in the U.S. to servers located overseas without a license and thus in violation of the EAR and/or the ITAR. One cloud service provider, apparently worried about its own potential liability, obtained back in January 2009 an advisory opinion from the Bureau of Industry and Security on the applicability of the EAR to the service provider’s cross-border transfers of customers’ data. http://www.bis.doc.gov/policiesandregulations/advisoryopinions/jan13_2009_ao_on_cloud_grid_computing.pdf The opinion noted that providing computation capacity via the cloud would not be subject to the EAR, but that if the provider “ships or transmits software that is subject to the EAR, an ‘export’ would occur.” The opinion further noted that an export of data via the “cloud” would be for the benefit of the user, not the provider, and that therefore the user (or customer) would be responsible for compliance with the EAR (and, by implication, potentially liable for any noncompliance). Since the ITAR are more restrictive and are interpreted and enforced not by the BIS, but by the State Department’s Directorate of Defense Trade Controls, enterprises should not rely on the BIS opinion for guidance on their responsibilities for ITAR compliance when using “cloud” services. [Roland Trope is a partner in the New York offices of Trope and Schramm LLP, and can be contacted at rltrope@tropelaw.com]
A Little ‘i’ to Teach About Online Privacy (New York Times, 27 Jan 2010) – A little blue symbol is carrying big implications. Trying to ward off regulators, the advertising industry has agreed on a standard icon — a little “i” — that it will add to most online ads that use demographics and behavioral data to tell consumers what is happening. Jules Polonetsky, the co-chairman and director of the Future of Privacy Forum, an advocacy group that helped create the symbol, compared it to the triangle made up of three arrows that tells consumers that something is recyclable. The idea was “to come up with a recycling symbol — people will look at it, and once they know what it is, they’ll get it, and always get it,” Mr. Polonetsky said. Most major companies running online ads are expected to begin adding the icon to their ads by midsummer, along with phrases like “Why did I get this ad?” When consumers click on the icon, a white “i” surrounded by a circle on a blue background, they will be taken to a page explaining how the advertiser uses their Web surfing history and demographic profile to send them certain ads. http://www.nytimes.com/2010/01/27/business/media/27adco.html?scp=1&sq=polonetsky&st=cse
Alaska Superior Court Judge Sides With State, Palin In E-Mail Lawsuit (JuneauEmpire.com, 25 Jan 2010) - An Alaska judge has sided with former Gov. Sarah Palin in a lawsuit over e-mail, finding that state law doesn’t forbid the use of private e-mail accounts to conduct state business. http://juneauempire.com/stories/012510/sta_554316966.shtml?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+StatelineorgRss-Technology+(Stateline.org+RSS+-+Technology)
- and -
Michigan State Court Rules that Government Officials’ Personal E-Mails Aren’t Subject to FOIA (AnnArbor.com, 27 Jan 2010) - A sweeping decision released by the Michigan Court of Appeals today places new limits on the state’s Freedom of Information Act, concluding that personal e-mails exchanged between government officials are not subject to disclosure. The ruling stems from a case out of Livingston County Circuit Court involving the Howell Education Association, the Howell Board of Education and Howell Public Schools. The state appeals court ruled this week that e-mails exchanged between teachers union officials on a school district’s computer system are not subject to FOIA. The three-judge panel reversed a lower court ruling from 2007 that found e-mails stored on the school system’s server were public records. According to the new ruling, only records created to further a public institution’s official duties are subject to FOIA and that “personal communication,” even if related to school issues such as union contract negotiations, are exempt. http://www.annarbor.com/news/state-court-rules-that-government-officials-personal-e-mails-arent-subject-to-foia/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+StatelineorgRss-Technology+(Stateline.org+RSS+-+Technology)
S.E.C. Adds Climate Risk to Disclosure List (New York Times, 28 Jan 2010) - The Securities and Exchange Commission said on Wednesday for the first time that public companies should warn investors of any serious risks that global warming might pose to their businesses. Although the agency has long required companies to reveal possible financial or legal impacts from a variety of environmental challenges, it has never specifically cited climate change as bringing potentially significant business risks or rewards. The S.E.C., on a party-line 3-2 vote, issued “interpretive guidance” to help companies decide when and whether to disclose matters related to climate change. The commission said that companies could be helped or hurt by climate-related lawsuits, business opportunities or legislation and should promptly disclose such potential impacts. Banks or insurance companies that invest in coastal property that could be affected by storms or rising seas, for example, should disclose such risks, the agency said. http://www.nytimes.com/2010/01/28/business/28sec.html?ref=business [Editor: Why is this in MIRLN? Climate-change risk is more speculative than security-breach risk; Y2K risks were disclosed in 1999, and the SEC may turn its sights now to security-breach risk.]
Connecticut AG the First to File HIPAA Suit (Steptoe & Johnson’s E-Commerce Law Week, 28 Jan 2010) - Connecticut Attorney General (and senatorial candidate) Richard Blumenthal has become the first state attorney general to file a complaint for violation of the Health Insurance Portability and Accountability Act (HIPAA). State attorneys general were granted the authority to enforce HIPAA by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA as part of the American Recovery and Reinvestment Act of 2009. Blumenthal has sued Health Net of the Northeast, Inc., and affiliated and successor companies in federal court in Connecticut after a portable computer disk drive holding the protected health information and other personal information of 1.5 million customers disappeared from the company’s Connecticut office. Blumenthal has also alleged that Health Net violated Connecticut’s breach notification law by delaying notification of affected individuals for six months. Blumenthal is seeking injunctive relief and damages. http://www.steptoe.com/publications-6595.html
**** NOTED PODCASTS ****
BooksAhead.com (Mitch Ratcliffe, IT Conversations) - Calling from the 2010 CES in Las Vegasi, tech journalist Mitch Ratcliffe joins Phil and Scott to discuss the future of books, reading, and publishing. He talks about how his blog Booksahead.com is a platform to discuss authors and publishing, as well as news about the industry. He also reviews new mobile devices, including E-Book readers and tablet computers, as well as the Sophie Project, open source software for writing and reading. http://itc.conversationsnetwork.org/shows/detail4361.html [Interesting 45 minute discussion about an expansive, evolutionary future for e-books, with crowd-sourced annotations, social-network asynch recommendations and discussions, author-feedback systems, and perpetual cloud-libraries. ONE STAR.]
Data Mining Spurs Innovation, Threatens Privacy (NPR, 18 Dec 2009; 22 minute audio segment) - By analyzing cell phone movements and online search queries, scientists can monitor traffic in real time and track disease outbreaks more efficiently, but at what cost to privacy? Computer scientists Tom Mitchell and Deborah Estrin discuss the pros and cons of crowd sourcing personal data. http://www.npr.org/templates/story/story.php?storyId=121615586 [Story driven by “Mining Our Reality”, from the 18 December 2009 issue of Science Magazine, and available here: http://www.scribd.com/doc/24279809/Mining-our-Reality-by-Tom-Mitchell-Carnegie-Mellon-University]
**** RESOURCES ****
Exclusive First Look: Fastcase iPhone App (Robert Ambrogi’s blog, 25 Jan 2010) - The legal research service Fastcase is preparing to launch an application that will let users research cases and statutes on their iPhones, all for free. The app is awaiting final approval from Apple before it will be available in the App Store. Fastcase granted me an exclusive first look at a pre-release version of the app. Here is what I found. http://www.legaline.com/2010/01/exclusive-first-look-fastcase-iphone.html
Panopticlick (by EFF) - Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies. Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web. http://panopticlick.eff.org/
Google Reader Lets You Subscribe to Any Page on the Web (Mashable, 25 Jan 2010) - RSS technology makes it possible for anyone to keep up with fresh content without having to visit the site in question. Now the same holds for webpages without RSS thanks to a new Google Reader feature. Today Google has rolled out a subtle change to Google Reader that lets you create custom feeds to track pages that don’t already have them. So you can subscribe to updates for any webpage simply by typing the URL into the “Add a subscription” text box. Should you put the new feature to work, you’ll start to receive short snippets for any updates made to the pages, and Google asserts that it’s committed to improving the quality of these tiny blurbs over time. On the flip side, webpage owners can choose to opt out by adjusting a few lines of code. http://mashable.com/2010/01/25/google-reader-custom-feeds/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Mashable+(Mashable)
**** FUN ****
Michael Jackson’s Thriller Inmates, The Sequel: This Is It [VIDEO] (Mashable, 25 Jan 2010) - A new video of hundreds of prison inmates performing a dance routine inspired by the Michael Jackson documentary “This Is It” is something of a sequel to one of the most popular viral videos of all time. Two years ago, a video of 1,500 inmates in the Philippines’ Cebu Provincial Detention and Rehabilitation Center dancing a routine set to Michael Jackson’s “Thriller” was uploaded to YouTube. Since then, it’s reached more than 37 million views. Prison Chief Byron F. Garcia has actually released several videos since “Thriller.” The prison has even become a tourist spot, putting on a monthly performance, selling souvenir shirts and offering visitors chances to have their pictures taken with the dancing inmates. None of the previous videos have come close to the viral success of “Thriller,” though. But now that MJ has sadly passed on, we thought it appropriate to share this performance. It was actually made possible by MJ’s choreographer, Travis Payne. He and two dancers (Daniel Celebre and Dres Reid) taught the inmates all the steps. Go ahead and watch both the dance routine based on “This Is It” (set to “They Don’t Care About Us”) and the classic “Thriller” video below if you like dancing. Hey, we all do — that’s why videos like these are so insanely popular. http://mashable.com/2010/01/25/inmates-this-is-it-michael-jackson/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Mashable+(Mashable)
**** LOOKING BACK - MIRLN TEN YEARS AGO ****
CIA Says Cyber Threat from Russia and China is Developing (24 February 2000)
The CIA says that there is evidence of “dedicated offensive cyber warfare programs” in China and Russia. Because they know they would lose in conventional warfare confrontation, the countries are focusing on honing their cyber attack capabilities. The US plans to do the same. http://www.computerworld.com/home/print.nsf/all/000224EF6A http://www.zdnet.com/zdnn/stories/news/0,4586,2445516,00.html
**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC. Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN stands for Miscellaneous IT Related Legal News, since 1997 a free monthly e-newsletter edited by Vince Polley (www.knowconnect.com). Earlier editions, and email delivery subscription information, are at http://www.knowconnect.com/mirln/
Saturday, January 30, 2010
Saturday, January 09, 2010
MIRLN --- 20 December – 9 January 2010 (v13.01)
• Surveillance Shocker: Sprint Received 8 MILLION Law Enforcement Requests for GPS Location Data in the Past Year
• Lawyers Can Post Clients’ Files on Web
• Heartland pays Amex $3.6M over 2008 data breach
o Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
o Even Extortion of Breached Company Doesn’t Help Plaintiff Show Concrete Injury, Court Finds
• Should a Case Go Webwide?
• Ghostnet and the Unclassified Crisis
• Copyright Claim Based on Taping Fashion Show
• Background Checks For All With BeenVerified’s iPhone App
• Drunk Drivers in Texas to Be Named on Twitter
• No Private Right of Action to Enforce Connecticut Electronic Monitoring Statute
• Long arm of law reaches into World of Warcraft
• Court’s Ruling Holds One Shiny Gift and One Lump of Coal for Employers
• Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites
• Whatever happened to Second Life?
• FTC set to examine cloud computing
• Calif. Federal Judge OKs Posting of Prop 8 Trial to YouTube
• Ohio Court Gives Criminals Another Reason to Love Their Smart (and Not-So-Smart) Phones
• Internet pirates find ‘bulletproof’ havens for illegal file sharing
NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES
Surveillance Shocker: Sprint Received 8 MILLION Law Enforcement Requests for GPS Location Data in the Past Year (EFF, 1 Dec 2009) - This October, Chris Soghoian — computer security researcher, oft-times journalist, and current technical consultant for the FTC’s privacy protection office — attended a closed-door conference called “ISS World”. ISS World — the “ISS” is for “Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering” — is where law enforcement and intelligence agencies consult with telco representatives and surveillance equipment manufacturers about the state of electronic surveillance technology and practice. Armed with a tape recorder, Soghoian went to the conference looking for information about the scope of the government’s surveillance practices in the US. What Soghoian uncovered, as he reported on his blog this morning, is more shocking and frightening than anyone could have ever expected. At the ISS conference, Soghoian taped astonishing comments by Paul Taylor, Sprint/Nextel’s Manager of Electronic Surveillance. In complaining about the volume of requests that Sprint receives from law enforcement, Taylor noted a shocking number of requests that Sprint had received in the past year for precise GPS (Global Positioning System) location data revealing the location and movements of Sprint’s customers. That number? EIGHT MILLION. Sprint received over 8 million requests for its customers’ information in the past 13 months. That doesn’t count requests for basic identification and billing information, or wiretapping requests, or requests to monitor who is calling who, or even requests for less-precise location data based on which cell phone towers a cell phone was in contact with. That’s just GPS. And, that’s not including legal requests from civil litigants, or from foreign intelligence investigators. That’s just law enforcement. And, that’s not counting the few other major cell phone carriers like AT&T, Verizon and T-Mobile. That’s just Sprint. Here’s what Taylor had to say; the audio clip is here and we are also mirroring a zip file from Soghoian containing other related mp3 recordings and documents. https://www.eff.org/deeplinks/2009/12/surveillance-shocker-sprint-received-8-million-law
Lawyers Can Post Clients’ Files on Web (Arizona Central, 17 Dec 2009) - Lawyers can make their clients’ files available to them on the World Wide Web but only if they take proper safety precautions, the Ethics Committee of the State Bar of Arizona concluded. In a formal written opinion, the panel gave the go-ahead to a lawyer to let clients view and retrieve their own files. Committee members said the plan, as sketched out for them in an inquiry from the attorney, did not run afoul of existing ethics rules about what lawyers must do to safeguard client information. But the committee cautioned that their approval was based on the kind of security the lawyer promised to set up, both in encrypting the files and taking other methods to preclude unauthorized hacking. And the panel also said that the attorney has to conduct periodic reviews to ensure that security precautions in place remain reasonable as technology progresses. This does not mean lawyers have to offer an absolute guarantee that a computer system will be invulnerable to unauthorized access, the committee said. Lawyers are just required to exercise sound professional judgment on what steps are necessary to secure against “foreseeable attempts at unauthorized access.” But the panel said what constitutes “sound professional judgment” is not necessarily based on a judgment that an attorney would reach about what is and is not secure. “It is also important that lawyers recognize their own competence limitations regarding computer security measures,” the opinion states. That requires them to take the necessary time and energy to become competent or to consult available experts in the field. http://www.azcentral.com/business/abg/articles/2009/12/17/20091217abg-fischer1217.html
Heartland pays Amex $3.6M over 2008 data breach (Computerworld, 17 Dec 2009) - Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year. The U.S. Department of Justice has charged Albert Gonzalez and several other accomplices with the hack, saying that Heartland was one of several companies that the hackers managed to break into using SQL injection attacks. Other alleged victims include 7-Eleven and Hannaford Brothers. In total, the gang managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford, prosecutors allege. Card-issuing banks such as American Express have had to pay the costs of re-issuing credit cards, following the breach, and many banks have sued Heartland to recover these costs. American Express operates its own credit card brand as well, and the settlement may also cover fines incurred there. Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches. In May, Heartland CEO Bob Carr said that his company had set aside $12.6 million to handle charges related to the hack. More than half of that money was to handle fines levied by MasterCard, he said. http://www.computerworld.com/s/article/9142448/Heartland_pays_Amex_3.6M_over_2008_data_breach?source=CTWNLE_nlt_dailyam_2009-12-18
- but -
Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift (InfoLawGroup, 23 Dec 2009) - While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with. http://www.infolawgroup.com/2009/12/articles/pci-1/massachusettss-highest-court-delivers-bj-wholesalers-and-other-retailers-a-data-breach-liability-gift/
- and -
Even Extortion of Breached Company Doesn’t Help Plaintiff Show Concrete Injury, Court Finds (Steptoe & Johnson’s E-Commerce Law Week, 31 Dec 2009) - A federal court in Missouri has ruled in Amburgy v. Express Scripts, Inc., that a mere fear of identity theft following a data breach, even after the breached company received an extortion letter threatening public release of the confidential information, is insufficient to establish Article III standing and to state a negligence claim. The plaintiff filed a putative class action suit against a pharmacy benefit management company that suffered a breach of customers’ personal information and then received a letter threatening the public release of the information if the company did not pay the persons responsible for the breach. The plaintiff himself was not named in the extortion letter. Nor did he even allege that his personal information had been breached. Nevertheless, the plaintiff claimed that he and fellow class members feared an “increased risk of future injury” following the extortion threat and had to spend money monitoring their credit. The court found that the plaintiff still had not demonstrated a sufficiently concrete injury to satisfy standing requirements or to state a negligence claim, and strongly suggested that this would doom the plaintiff’s contract claims. http://www.steptoe.com/publications-6550.html
Should a Case Go Webwide? (ABA Journal, 21 Dec 2009) - Shortly after oral arguments before the Philadelphia-based 3rd U.S. Circuit Court of Appeals, a marketer for the defense attorney launched a website dedicated to the wrongful-conviction appeal that included everything from court filings to information about the lawyer. The site has received more than 3,400 visitors since April, showing how a case-specific website can help raise the profile of smaller firms, according to Richard Lavinthal, owner of PRforLaw, a Morrisville, Pa.-based legal media relations consulting firm. He developed the site for New York City solo attorney Timothy J. McInnis. But such webpages raise concern among some legal ethicists and marketers, who say the sites could violate rules of professional conduct. Some also argue the marketing tool is inappropriate for a lawyer. http://www.abajournal.com/magazine/article/should_a_case_go_webwide
Ghostnet and the Unclassified Crisis (excerpt from coming book by Stewart Baker, 21 Dec 2009) – [Editor: description of the introduction and workings of the surveillance botnet called GhostNet; this excerpt fails to mention that at least one law firm was fully penetrated, resulting in the apparent compromise of all clients files.] http://www.skatingonstilts.com/skating-on-stilts/2009/12/excerpt-7-from-chapter-6-moores-outlaws.html [Editor: some of this was alluded to in MIRLN 12.05; the seminal researcher’s report on GhostNet is here: http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network]
Copyright Claim Based on Taping Fashion Show (THR Esq, 22 Dec 2009) - A women’s clothing company is suing Canadian Broadcasting Company after a reporter for the television station snuck into a New York fashion show without an invitation and taped the event. According to the complaint filed by Nygard International in New York district court late last week, members of the media who attended the show signed an agreement limiting their right to record the event and distribute footage without written approval. A CBC employee identifying himself as David Common and a cameraman allegedly evaded security and made an unauthorized recording. When asked to leave, the cameraman is said to have refused to go. The event was held on private premises, so one of the grounds for this complaint is trespass. More intriguing, perhaps, Nygard is also claiming that CBC violated the company’s copyright. We’re reminded of professional sporting league’s restrictions on the kind of audio-video content that news outlets can transmit from inside a sporting event. Some leagues even attempt to limit descriptions of an event. However, these events derive significant revenue from big TV rights licensing deals and broadcasters who show up with their own cameras potentially interfere with these licensing arrangements. In this case, Nygard makes the case that it was potentially damaged “because distribution of images of Plaintiff’s fashions prior to the release of those products in the marketplace could give Plaintiff’s competitors an unfair advantage and cause Plaintiff to lose control over its intellectual property, goodwill, and public image.” Fascinating argument, and leaving aside the hot question over the IP protection on fashion designs, it could be interesting to see what a court has to say in this case. Will companies be more aggressive in making copyright claims to protect public image going forward? http://www.thresq.com/2009/12/copyright-fashion-show-television.html [Editor: goes to audience members’ iPhone recording of for-fee CLE events, etc.]
Background Checks For All With BeenVerified’s iPhone App (TechCrunch, 22 Dec 2009) - Back in September, we wrote about a new iPhone app that would allow you to run a background check on a new lover. It’s mildly creepy, but also kind of interesting. Unfortunately, that app, DateCheck, also charged an arm and a leg to run the checks. A new one gives you some background checking ability for free. The aptly named Background Check App does exactly what it says: Using data from the site BeenVerified, it allows you to do background checks on people via name queries or their email addresses. And it even allows you to check your contacts on your iPhone with just one click. Just imagine the fun that will bring. But it’s not all free fun. Unfortunately, you only get three free queries a week. After that, you’re prompted to sign up for a BeenVerified account and pay to get unlimited access. Currently, that will cost you $8-a-month. Beyond looking up things such as age, address history, and relatives, Background Check App gives you access to criminal records, the properties associated with a person (and their values), and even scans the social networks to find data about the person there, such as pictures of them. http://www.techcrunch.com/2009/12/22/background-check-iphone-app/
Drunk Drivers in Texas to Be Named on Twitter (Mashable.com, 25 Dec 2009) - Drunk driving in Montgomery County, Texas, this holiday season? Expect to see your name in Tweets, as the local district attorney’s office has vowed to name and shame drunk drivers on Twitter. The tactic, hoping to dissuade drunk drivers using the threat of public humiliation, will see DWI (Driving While Intoxicated) arrests documented on the @MontgomeryTXDAO Twitter account, owned by Montgomery County District Attorney, Brett Ligon. The idea was conceived by County Vehicular Crimes Prosecutor Warren Diepraam, and it’s not entirely new: the information is a matter of public record and some newspapers print the names of people charged with such crimes as a deterrent. Moving the practice to Twitter, however, is somewhat controversial: shaming people who have yet to be found guilty is a concept that some law bloggers are rallying against. http://mashable.com/2009/12/25/drunk-drivers-twitter/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Mashable+%28Mashable%29
No Private Right of Action to Enforce Connecticut Electronic Monitoring Statute (Daniel Schwartz, 29 Dec 2009) - The Connecticut Supreme Court, in a decision that will be officially released on January 5, 2010, has held that employees cannot bring a private right of action against employers that violate the state’s electronic monitoring statute. In Gerardi v. City of Bridgeport, two city fire inspectors were disciplined for improper job performance through the use of GPS devices, allegedly without the employees’ consent. They claimed that the employer violated Conn. Gen. Stat. 31-48d, which prohibits an employer from electronically monitoring an employee’s activities without prior notice, and sought injunctive relief and monetary damages. The employees claimed that even though the statute didn’t contain a private right of action, one should be implied. The Court disagreed. http://ow.ly/QMLm
Long arm of law reaches into World of Warcraft (Kokomo Perspective, 31 Dec 2009) - The virtual world of online gaming seems like the perfect place to hide. There is plenty of anonymity, and it’s almost impossible for someone to trace activity back to its source, right? Wrong. Two weeks ago, Howard County Sheriff’s Department deputy Matt Roberson tracked down a wanted fugitive through one of the most popular games on the Internet — World of Warcraft. And he got his man. “We received information that this guy was a regular player of an online game, which was referred to as ‘some warlock and witches’ game,” said Roberson. “None of that information was sound enough to pursue on its own, but putting everything we had together gave me enough evidence to send a subpoena to Blizzard Entertainment. I knew exactly what he was playing — World of Warcraft. I used to play it. It’s one of the largest online games in the world.” Indeed, World of Warcraft is among the most popular online pastimes today, boasting more than 14 million players in dozens of countries — including Canada. But this is the Internet, and Blizzard is in California. Roberson’s subpoena was nothing more than a politely worded request, considering the limits of his law enforcement jurisdiction and the ambiguity of the online world. Blizzard did more than cooperate. It gave Roberson everything he needed to track down Hightower, including his IP address, his account information and history, his billing address, and even his online screen name and preferred server. From there it was a simple matter to zero in on the suspect’s location. “I did a search off the IP address to locate him,” said Roberson. “I got a longitude and latitude. Then I went to Google Earth. It works wonders. It uses longitude and latitude. Boom! I had an address. I was not able to go streetside at the location, but I had him.” Roberson and Rogers contacted the U.S. Marshals, who immediately notified the Royal Canadian Mounted Police and the Canadian Border Services Agency. According to Rogers, Canadian authorities located Hightower in Ottawa, Ontario, and arranged to have him deported. The marshals picked up the suspect in Minneapolis, and Howard County has until Jan. 5 to bring him back here to face charges. http://kokomoperspective.com/news/local_news/article_15a0a546-f574-11de-ab22-001cc4c03286.html
Court’s Ruling Holds One Shiny Gift and One Lump of Coal for Employers (Steptoe & Johnson’s E-Commerce Law Week, 31 Dec 2009) - A federal district court in Idaho has ruled in Alamar Ranch, LLC, v. County of Boise that an employee waived the attorney-client privilege by communicating with her lawyer over her employer’s email system, where the employer had a clear policy of monitoring employee communications. Other courts have found reasons not to find a waiver under similar circumstances, so this ruling provides support for employers whose monitoring practices come under fire. But the court also found that other people who communicated with the employee and the lawyer simultaneously did not waive their privilege despite the monitoring policy. This part of the ruling could support claims against an employer by non-employees whose communications with an employee were monitored by the employer. http://www.steptoe.com/publications-6550.html
Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites (ABA’s LPM, December 2009) - The Web is a great resource for law firm competitive intelligence (CI). For years, law firm CI analysts have been watching the Web sites of prospective clients and competing firms for any information that can create a competitive advantage for their own firm. This includes monitoring competitor firms’ attorney rosters and tracking trends within other firms based on the publications, press releases and other information posted on their sites. Clients’ and prospective clients’ Web sites are tracked to identify new products, potential litigation issues, and changes within the companies that might enable a firm to capture new work. But for the CI analyst, the disadvantage has been that a lot of the information posted on traditional Web sites is so heavily filtered that it’s ultimately of very little value. The development of Web 2.0 technologies has changed things, however, creating an opportunity to monitor information that doesn’t go through a filter before publication. Resources like social networking sites, “Ning” communities, wikis and blogs encourage the free flow of information, and individuals who were once hidden behind the company’s firewall are conducting all kinds of online conversations outside those walls. For law firm CI analysis, the advent of Web 2.0 has ushered in a whole new era and expanded the abilities to find valuable information that could give the firm a competitive advantage. http://www.abanet.org/lpm/magazine/articles/v35/is7/pg26.shtml [Editor: quite interesting.]
Whatever happened to Second Life? (PC Pro, 4 Jan 2010) - It’s desolate, dirty, and sex is outcast to a separate island. Barry Collins returns to Second Life to find out what went wrong, and why it’s raking in more cash than ever before. Three years ago, I underwent one of the most eye-opening experiences of my life – and I barely even left the office. I spent a week virtually living and breathing inside Second Life: the massively multiplayer online world that contains everything from lottery games to libraries, penthouses to pubs, skyscrapers to surrogacy clinics. Oh, and an awful lot of virtual sex. At its peak, the Second Life economy had more money swilling about than several third-world countries. It had even produced its own millionaire, Anshe Chung, who made a very real fortune from buying and selling property that existed only on Second Life servers. Three years on, and the hype has been extinguished. Second Life has seen its status as the web wonderchild supplanted by Facebook and Twitter. The newspapers have forgotten about it, the Reuters correspondent has long since cleared his virtual desk, and you can walk confidently around tech trade shows without a ponytailed “Web 2.0 Consultant” offering to put your company on the Second Life map for the price of a company car. http://www.pcpro.co.uk/features/354457/whatever-happened-to-second-life
FTC set to examine cloud computing (The Hill, 4 Jan 2010) - The Federal Trade Commission (FTC) is investigating the privacy and security implications of cloud computing, according to a recent filing with the Federal Communications Commission. The FTC, which shares jurisdiction over broadband issues, says it recognizes the potential cost-savings cloud computing can provide. “However, the storage of data on remote computers may also raise privacy and security concerns for consumers,” wrote David Vladeck, who helms the FTC’s Consumer Protection Bureau. http://thehill.com/blogs/hillicon-valley/technology/74209-ftc-examining-cloud-computing
Calif. Federal Judge OKs Posting of Prop 8 Trial to YouTube (Law.com, 7 Jan 2010) - Chief Judge Vaughn Walker made it clear Wednesday that he will forge ahead with televising the federal challenge to Prop 8. But he also signaled he doesn’t want to be the next Lance Ito. The trial, which begins on Monday, will be filmed by court personnel, Walker ruled, but it will not be broadcast live. Instead, the recording will be posted on a YouTube page at some point after the close of the day’s proceedings. Walker declined an offer from In Session (formerly Court TV) to broadcast live, with its own crew. http://www.law.com/jsp/article.jsp?id=1202437693425&rss=newswire&hbxlogin=1
Ohio Court Gives Criminals Another Reason to Love Their Smart (and Not-So-Smart) Phones (Steptoe & Johnson’s E-Commerce Law Week, 8 Jan 2010) - The Supreme Court of Ohio ruled last month in State v. Smith that the warrantless search of a cell phone seized incident to a lawful arrest is prohibited by the Fourth Amendment. The court refused to extend to cell phones the normal doctrine allowing police to search an arrestee’s person and containers found on or near him without obtaining a search warrant, holding that a cell phone is not a “closed container” because it does not hold other “physical objects.” The court also found that cell phones’ “ability to store large amounts of private data gives their users a reasonable and justifiable expectation of a higher level of privacy in the information they contain,” and that police therefore must “obtain a warrant before intruding into the phone’s contents.” http://www.steptoe.com/publications-6558.html
Internet pirates find ‘bulletproof’ havens for illegal file sharing (The Guardian, 5 Jan 2010) – Internet pirates are moving away from safe havens such as Sweden to new territories that include China and Ukraine, as they try to avoid prosecution for illegal file sharing, according to experts. For several years, piracy groups that run services allowing music, video and software to be illegally shared online have been using legal loopholes across a wide range of countries as a way of escaping prosecution for copyright infringement. In the last year there has been a significant shift, say piracy experts, as the groups have worked to stay beyond the reach of western law enforcement. The change is rooted in the evolution of “bulletproof hosting”, or website provision by companies that make a virtue of being impervious to legal threats and blocks. Not all bulletproof services are linked to illegal activities, but they are popular among criminal groups, spammers and file-sharing services. Not every controversial service has fled beyond traditional jurisdictions, however. Some problematic hosts still exist in the US, such as the infamous host McColo, which was based in San Jose, California, and remained in operation until last year. Pirate Bay, after its brief excursion to Ukraine, is now run out of a Dutch data centre called CyberBunker, which is based in an old nuclear facility of the 1950s, about 120 miles south-west of Amsterdam. Research published last year showed that most bulletproof hosts are located in China, where criminals are able to take advantage of low costs and legal loopholes to avoid prosecution. http://www.guardian.co.uk/technology/2010/jan/05/internet-piracy-bulletproof
**** NOTED PODCASTS ****
The Rewilding: A Metaphor (IT Conversations; by Karl Schroeder; 24 July 2009) - Long ago, when we started using technology, we lacked the collective cognizance to define the limits we wanted to exercise control within, so we tried controlling everything. The notion of technological advancement was about the degree of control exercised over nature. However, the modern trend indicates an inversion of that philosophy. According to sci-fi author Karl Schroeder, the world is now reaching a point where we are learning when to let go, and that, he says, is working well. http://itc.conversationsnetwork.org/shows/detail4274.html and http://itc.conversationsnetwork.org/audio/download/ITC.oscon-Schroeder-2009.07.24.mp3 [Editor: 15 minute podcast, relevant to Web 2.0 debates about employer loss of control and threats from too much sharing (e.g., at 8m45s and the discussion about “organizational rewilding”. Talks about knowing when to control, and knowing when to leave alone. ONE STAR.]
**** RESOURCES ****
An E-Book Buyer’s Guide to Privacy (EFF, 21 Dec 2009) - As we count down to end of 2009, the emerging star of this year’s holiday shopping season is shaping up to be the electronic book reader (or e-reader). From Amazon’s Kindle to Barnes and Noble’s forthcoming Nook, e-readers are starting to transform how we buy and read books in the same way mp3s changed how we buy and listen to music. Unfortunately, e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users’ reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why. As a first step towards addressing these problems, EFF has created a first draft of our Buyer’s Guide to E-Book Privacy. We’ve examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share. http://www.eff.org/deeplinks/2009/12/e-book-privacy
Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping (Congressional Research Service, 5 Dec 2009) - This report provides an overview of federal law governing wiretapping and electronic eavesdropping. It also appends citations to state law in the area and contains a bibliography of legal commentary as well as the text of the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA). It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. Violations can result in imprisonment for not more than five years; fines up to $250,000 (up to $500,000 for organizations); in civil liability for damages, attorneys’ fees and possibly punitive damages; in disciplinary action against any attorneys involved; and in suppression of any derivative evidence. Congress has created separate but comparable protective schemes for electronic communications (e.g., e-mail) and against the surreptitious use of telephone call monitoring practices such as pen registers and trap and trace devices. Each of these protective schemes comes with a procedural mechanism to afford limited law enforcement access to private communications and communications records under conditions consistent with the dictates of the Fourth Amendment. The government has been given narrowly confined authority to engage in electronic surveillance, conduct physical searches, install and use pen registers and trap and trace devices for law enforcement purposes under the Electronic Communications Privacy Act and for purposes of foreign intelligence gathering under the Foreign Intelligence Surveillance Act. Two FISA provisions, born in the USA PATRIOT Act and dealing with roving wiretaps (section 206) and business records (section 215), are scheduled to expire on December 31, 2009. This report includes a brief summary of the expired Protect America Act, P.L. 110-55 and of the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, P.L. 110-261 (H.R. 6304). It is available in an abridged form without footnotes, quotations, or appendices as CRS Report 98-327, Privacy: An Abbreviated Outline of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by Gina Stevens and Charles Doyle. http://assets.opencrs.com/rpts/98-326_20091203.pdf
The Growing Wave of Data Breach Litigation (Risk Management, December 2009) - Data breaches-the theft, loss or unintended exposure of personally identifiable information-have compromised hundreds of millions of personal records in recent years. In 2009, the trend continued with two of the largest breaches in history. In January, as many as 100 million credit card records were exposed when it was discovered that hackers broke into the network of credit card processor Heartland Payment Systems. And in October, the personal information of more than 70 million U.S. military veterans was compromised when an improperly erased hard drive was sent out for repair. These breaches, and others like them, only scratch the surface of the problem. A study by Gartner Inc. found that financial fraud affected 7.5% of all Americans in 2008, and data breaches spawned 19% of that fraud. The Identity Theft Resource Center (ITRC) reported that data breaches in 2008 increased by 47% over the previous year. And by November, the ITRC had reported more than 400 breaches affecting 220 million records in 2009-an amount of records nearly equal to the previous four years combined. Given the scope of the problem, it should be no surprise that data breaches have led to expensive litigation, including attempted class actions. So far, however, these actions have met with little legal success (as distinguished by sizable costs and settlements). But considering the scope of the risk, it would be wise for companies to be familiar with the important decisions in this area. http://www.rmmagazine.com/MGTemplate.cfm?Section=RMMagazine&NavMenuID=128&template=/Magazine/DisplayMagazines.cfm&IssueID=341&AID=4015&Volume=56&ShowArticle=1
**** FUN ****
The Ten Best Viral Videos of the Decade (Salon.com, 26 Dec 2009) - Long ago — the 90s — the word “viral” applied strictly to illness, and we had only an inkling of how awesome it is to dance at weddings, defy gravity and laugh at the funny things cats and toddlers do. This decade changed that. Though we never want to hear words such as “Miss South Carolina,” “inspirational comedian“ or “Numa Numa“ again, and while we sometimes wonder if those hours spent engrossed in “Planet Unicorn“ were hours squandered, we fully cop to a deep, abiding love for viral video. And what’s not to love? It’s a few moments of the crazy, the joyous and the jaw-dropping plopped into our daily grind, minutes made all the sweeter for their “You have GOT to see this” power to bring people together. These are the ones that made us click Replay again and again. http://www.salon.com/mwt/feature/2009/12/26/decade_viral_video [Editor: my favorite is under Honorable Mentions – “Where the Hell is Matt”]
**** LOOKING BACK - MIRLN TEN YEARS AGO ****
LEGAL BRIEF: LAWYERS CLAIM CREDIT FOR AVERTING Y2K DISASTER -- The gentle calendar change on 1 January 2000 having dashed the expectation that the legal community would cash in on a flood of liability lawsuits related to the Y2K computer problem, some lawyers are taking a little credit for saving the world from disaster. Ronald N. Weikers, an attorney who coauthored the book, “Litigating Year 2000 Cases,” says: ““Nobody is going to believe that lawyers are heroes in this case, but we had something to do with it. It’s clear to me and a lot of attorneys that by raising red flags in advance we helped avoid bigger problems down the road.” But Weikers hasn’t given up all hope for a little new business, and tells people who are smug about surviving January 1st that “they shouldn’t rest so assured. They should wait a few months. There’s going to be a flurry of activity.” (Washington Post 10 Jan 2000) http://www.washingtonpost.com/wp-dyn/business/A23690-2000Jan9.html Related blog posting from 8 Jan 2010: http://www.TheCorporateCounsel.net/Blog/2010/01/y2k-tcc-the-november-doc.html
**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC. Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
• Lawyers Can Post Clients’ Files on Web
• Heartland pays Amex $3.6M over 2008 data breach
o Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
o Even Extortion of Breached Company Doesn’t Help Plaintiff Show Concrete Injury, Court Finds
• Should a Case Go Webwide?
• Ghostnet and the Unclassified Crisis
• Copyright Claim Based on Taping Fashion Show
• Background Checks For All With BeenVerified’s iPhone App
• Drunk Drivers in Texas to Be Named on Twitter
• No Private Right of Action to Enforce Connecticut Electronic Monitoring Statute
• Long arm of law reaches into World of Warcraft
• Court’s Ruling Holds One Shiny Gift and One Lump of Coal for Employers
• Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites
• Whatever happened to Second Life?
• FTC set to examine cloud computing
• Calif. Federal Judge OKs Posting of Prop 8 Trial to YouTube
• Ohio Court Gives Criminals Another Reason to Love Their Smart (and Not-So-Smart) Phones
• Internet pirates find ‘bulletproof’ havens for illegal file sharing
NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES
Surveillance Shocker: Sprint Received 8 MILLION Law Enforcement Requests for GPS Location Data in the Past Year (EFF, 1 Dec 2009) - This October, Chris Soghoian — computer security researcher, oft-times journalist, and current technical consultant for the FTC’s privacy protection office — attended a closed-door conference called “ISS World”. ISS World — the “ISS” is for “Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering” — is where law enforcement and intelligence agencies consult with telco representatives and surveillance equipment manufacturers about the state of electronic surveillance technology and practice. Armed with a tape recorder, Soghoian went to the conference looking for information about the scope of the government’s surveillance practices in the US. What Soghoian uncovered, as he reported on his blog this morning, is more shocking and frightening than anyone could have ever expected. At the ISS conference, Soghoian taped astonishing comments by Paul Taylor, Sprint/Nextel’s Manager of Electronic Surveillance. In complaining about the volume of requests that Sprint receives from law enforcement, Taylor noted a shocking number of requests that Sprint had received in the past year for precise GPS (Global Positioning System) location data revealing the location and movements of Sprint’s customers. That number? EIGHT MILLION. Sprint received over 8 million requests for its customers’ information in the past 13 months. That doesn’t count requests for basic identification and billing information, or wiretapping requests, or requests to monitor who is calling who, or even requests for less-precise location data based on which cell phone towers a cell phone was in contact with. That’s just GPS. And, that’s not including legal requests from civil litigants, or from foreign intelligence investigators. That’s just law enforcement. And, that’s not counting the few other major cell phone carriers like AT&T, Verizon and T-Mobile. That’s just Sprint. Here’s what Taylor had to say; the audio clip is here and we are also mirroring a zip file from Soghoian containing other related mp3 recordings and documents. https://www.eff.org/deeplinks/2009/12/surveillance-shocker-sprint-received-8-million-law
Lawyers Can Post Clients’ Files on Web (Arizona Central, 17 Dec 2009) - Lawyers can make their clients’ files available to them on the World Wide Web but only if they take proper safety precautions, the Ethics Committee of the State Bar of Arizona concluded. In a formal written opinion, the panel gave the go-ahead to a lawyer to let clients view and retrieve their own files. Committee members said the plan, as sketched out for them in an inquiry from the attorney, did not run afoul of existing ethics rules about what lawyers must do to safeguard client information. But the committee cautioned that their approval was based on the kind of security the lawyer promised to set up, both in encrypting the files and taking other methods to preclude unauthorized hacking. And the panel also said that the attorney has to conduct periodic reviews to ensure that security precautions in place remain reasonable as technology progresses. This does not mean lawyers have to offer an absolute guarantee that a computer system will be invulnerable to unauthorized access, the committee said. Lawyers are just required to exercise sound professional judgment on what steps are necessary to secure against “foreseeable attempts at unauthorized access.” But the panel said what constitutes “sound professional judgment” is not necessarily based on a judgment that an attorney would reach about what is and is not secure. “It is also important that lawyers recognize their own competence limitations regarding computer security measures,” the opinion states. That requires them to take the necessary time and energy to become competent or to consult available experts in the field. http://www.azcentral.com/business/abg/articles/2009/12/17/20091217abg-fischer1217.html
Heartland pays Amex $3.6M over 2008 data breach (Computerworld, 17 Dec 2009) - Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year. The U.S. Department of Justice has charged Albert Gonzalez and several other accomplices with the hack, saying that Heartland was one of several companies that the hackers managed to break into using SQL injection attacks. Other alleged victims include 7-Eleven and Hannaford Brothers. In total, the gang managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford, prosecutors allege. Card-issuing banks such as American Express have had to pay the costs of re-issuing credit cards, following the breach, and many banks have sued Heartland to recover these costs. American Express operates its own credit card brand as well, and the settlement may also cover fines incurred there. Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches. In May, Heartland CEO Bob Carr said that his company had set aside $12.6 million to handle charges related to the hack. More than half of that money was to handle fines levied by MasterCard, he said. http://www.computerworld.com/s/article/9142448/Heartland_pays_Amex_3.6M_over_2008_data_breach?source=CTWNLE_nlt_dailyam_2009-12-18
- but -
Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift (InfoLawGroup, 23 Dec 2009) - While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with. http://www.infolawgroup.com/2009/12/articles/pci-1/massachusettss-highest-court-delivers-bj-wholesalers-and-other-retailers-a-data-breach-liability-gift/
- and -
Even Extortion of Breached Company Doesn’t Help Plaintiff Show Concrete Injury, Court Finds (Steptoe & Johnson’s E-Commerce Law Week, 31 Dec 2009) - A federal court in Missouri has ruled in Amburgy v. Express Scripts, Inc., that a mere fear of identity theft following a data breach, even after the breached company received an extortion letter threatening public release of the confidential information, is insufficient to establish Article III standing and to state a negligence claim. The plaintiff filed a putative class action suit against a pharmacy benefit management company that suffered a breach of customers’ personal information and then received a letter threatening the public release of the information if the company did not pay the persons responsible for the breach. The plaintiff himself was not named in the extortion letter. Nor did he even allege that his personal information had been breached. Nevertheless, the plaintiff claimed that he and fellow class members feared an “increased risk of future injury” following the extortion threat and had to spend money monitoring their credit. The court found that the plaintiff still had not demonstrated a sufficiently concrete injury to satisfy standing requirements or to state a negligence claim, and strongly suggested that this would doom the plaintiff’s contract claims. http://www.steptoe.com/publications-6550.html
Should a Case Go Webwide? (ABA Journal, 21 Dec 2009) - Shortly after oral arguments before the Philadelphia-based 3rd U.S. Circuit Court of Appeals, a marketer for the defense attorney launched a website dedicated to the wrongful-conviction appeal that included everything from court filings to information about the lawyer. The site has received more than 3,400 visitors since April, showing how a case-specific website can help raise the profile of smaller firms, according to Richard Lavinthal, owner of PRforLaw, a Morrisville, Pa.-based legal media relations consulting firm. He developed the site for New York City solo attorney Timothy J. McInnis. But such webpages raise concern among some legal ethicists and marketers, who say the sites could violate rules of professional conduct. Some also argue the marketing tool is inappropriate for a lawyer. http://www.abajournal.com/magazine/article/should_a_case_go_webwide
Ghostnet and the Unclassified Crisis (excerpt from coming book by Stewart Baker, 21 Dec 2009) – [Editor: description of the introduction and workings of the surveillance botnet called GhostNet; this excerpt fails to mention that at least one law firm was fully penetrated, resulting in the apparent compromise of all clients files.] http://www.skatingonstilts.com/skating-on-stilts/2009/12/excerpt-7-from-chapter-6-moores-outlaws.html [Editor: some of this was alluded to in MIRLN 12.05; the seminal researcher’s report on GhostNet is here: http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network]
Copyright Claim Based on Taping Fashion Show (THR Esq, 22 Dec 2009) - A women’s clothing company is suing Canadian Broadcasting Company after a reporter for the television station snuck into a New York fashion show without an invitation and taped the event. According to the complaint filed by Nygard International in New York district court late last week, members of the media who attended the show signed an agreement limiting their right to record the event and distribute footage without written approval. A CBC employee identifying himself as David Common and a cameraman allegedly evaded security and made an unauthorized recording. When asked to leave, the cameraman is said to have refused to go. The event was held on private premises, so one of the grounds for this complaint is trespass. More intriguing, perhaps, Nygard is also claiming that CBC violated the company’s copyright. We’re reminded of professional sporting league’s restrictions on the kind of audio-video content that news outlets can transmit from inside a sporting event. Some leagues even attempt to limit descriptions of an event. However, these events derive significant revenue from big TV rights licensing deals and broadcasters who show up with their own cameras potentially interfere with these licensing arrangements. In this case, Nygard makes the case that it was potentially damaged “because distribution of images of Plaintiff’s fashions prior to the release of those products in the marketplace could give Plaintiff’s competitors an unfair advantage and cause Plaintiff to lose control over its intellectual property, goodwill, and public image.” Fascinating argument, and leaving aside the hot question over the IP protection on fashion designs, it could be interesting to see what a court has to say in this case. Will companies be more aggressive in making copyright claims to protect public image going forward? http://www.thresq.com/2009/12/copyright-fashion-show-television.html [Editor: goes to audience members’ iPhone recording of for-fee CLE events, etc.]
Background Checks For All With BeenVerified’s iPhone App (TechCrunch, 22 Dec 2009) - Back in September, we wrote about a new iPhone app that would allow you to run a background check on a new lover. It’s mildly creepy, but also kind of interesting. Unfortunately, that app, DateCheck, also charged an arm and a leg to run the checks. A new one gives you some background checking ability for free. The aptly named Background Check App does exactly what it says: Using data from the site BeenVerified, it allows you to do background checks on people via name queries or their email addresses. And it even allows you to check your contacts on your iPhone with just one click. Just imagine the fun that will bring. But it’s not all free fun. Unfortunately, you only get three free queries a week. After that, you’re prompted to sign up for a BeenVerified account and pay to get unlimited access. Currently, that will cost you $8-a-month. Beyond looking up things such as age, address history, and relatives, Background Check App gives you access to criminal records, the properties associated with a person (and their values), and even scans the social networks to find data about the person there, such as pictures of them. http://www.techcrunch.com/2009/12/22/background-check-iphone-app/
Drunk Drivers in Texas to Be Named on Twitter (Mashable.com, 25 Dec 2009) - Drunk driving in Montgomery County, Texas, this holiday season? Expect to see your name in Tweets, as the local district attorney’s office has vowed to name and shame drunk drivers on Twitter. The tactic, hoping to dissuade drunk drivers using the threat of public humiliation, will see DWI (Driving While Intoxicated) arrests documented on the @MontgomeryTXDAO Twitter account, owned by Montgomery County District Attorney, Brett Ligon. The idea was conceived by County Vehicular Crimes Prosecutor Warren Diepraam, and it’s not entirely new: the information is a matter of public record and some newspapers print the names of people charged with such crimes as a deterrent. Moving the practice to Twitter, however, is somewhat controversial: shaming people who have yet to be found guilty is a concept that some law bloggers are rallying against. http://mashable.com/2009/12/25/drunk-drivers-twitter/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Mashable+%28Mashable%29
No Private Right of Action to Enforce Connecticut Electronic Monitoring Statute (Daniel Schwartz, 29 Dec 2009) - The Connecticut Supreme Court, in a decision that will be officially released on January 5, 2010, has held that employees cannot bring a private right of action against employers that violate the state’s electronic monitoring statute. In Gerardi v. City of Bridgeport, two city fire inspectors were disciplined for improper job performance through the use of GPS devices, allegedly without the employees’ consent. They claimed that the employer violated Conn. Gen. Stat. 31-48d, which prohibits an employer from electronically monitoring an employee’s activities without prior notice, and sought injunctive relief and monetary damages. The employees claimed that even though the statute didn’t contain a private right of action, one should be implied. The Court disagreed. http://ow.ly/QMLm
Long arm of law reaches into World of Warcraft (Kokomo Perspective, 31 Dec 2009) - The virtual world of online gaming seems like the perfect place to hide. There is plenty of anonymity, and it’s almost impossible for someone to trace activity back to its source, right? Wrong. Two weeks ago, Howard County Sheriff’s Department deputy Matt Roberson tracked down a wanted fugitive through one of the most popular games on the Internet — World of Warcraft. And he got his man. “We received information that this guy was a regular player of an online game, which was referred to as ‘some warlock and witches’ game,” said Roberson. “None of that information was sound enough to pursue on its own, but putting everything we had together gave me enough evidence to send a subpoena to Blizzard Entertainment. I knew exactly what he was playing — World of Warcraft. I used to play it. It’s one of the largest online games in the world.” Indeed, World of Warcraft is among the most popular online pastimes today, boasting more than 14 million players in dozens of countries — including Canada. But this is the Internet, and Blizzard is in California. Roberson’s subpoena was nothing more than a politely worded request, considering the limits of his law enforcement jurisdiction and the ambiguity of the online world. Blizzard did more than cooperate. It gave Roberson everything he needed to track down Hightower, including his IP address, his account information and history, his billing address, and even his online screen name and preferred server. From there it was a simple matter to zero in on the suspect’s location. “I did a search off the IP address to locate him,” said Roberson. “I got a longitude and latitude. Then I went to Google Earth. It works wonders. It uses longitude and latitude. Boom! I had an address. I was not able to go streetside at the location, but I had him.” Roberson and Rogers contacted the U.S. Marshals, who immediately notified the Royal Canadian Mounted Police and the Canadian Border Services Agency. According to Rogers, Canadian authorities located Hightower in Ottawa, Ontario, and arranged to have him deported. The marshals picked up the suspect in Minneapolis, and Howard County has until Jan. 5 to bring him back here to face charges. http://kokomoperspective.com/news/local_news/article_15a0a546-f574-11de-ab22-001cc4c03286.html
Court’s Ruling Holds One Shiny Gift and One Lump of Coal for Employers (Steptoe & Johnson’s E-Commerce Law Week, 31 Dec 2009) - A federal district court in Idaho has ruled in Alamar Ranch, LLC, v. County of Boise that an employee waived the attorney-client privilege by communicating with her lawyer over her employer’s email system, where the employer had a clear policy of monitoring employee communications. Other courts have found reasons not to find a waiver under similar circumstances, so this ruling provides support for employers whose monitoring practices come under fire. But the court also found that other people who communicated with the employee and the lawyer simultaneously did not waive their privilege despite the monitoring policy. This part of the ruling could support claims against an employer by non-employees whose communications with an employee were monitored by the employer. http://www.steptoe.com/publications-6550.html
Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites (ABA’s LPM, December 2009) - The Web is a great resource for law firm competitive intelligence (CI). For years, law firm CI analysts have been watching the Web sites of prospective clients and competing firms for any information that can create a competitive advantage for their own firm. This includes monitoring competitor firms’ attorney rosters and tracking trends within other firms based on the publications, press releases and other information posted on their sites. Clients’ and prospective clients’ Web sites are tracked to identify new products, potential litigation issues, and changes within the companies that might enable a firm to capture new work. But for the CI analyst, the disadvantage has been that a lot of the information posted on traditional Web sites is so heavily filtered that it’s ultimately of very little value. The development of Web 2.0 technologies has changed things, however, creating an opportunity to monitor information that doesn’t go through a filter before publication. Resources like social networking sites, “Ning” communities, wikis and blogs encourage the free flow of information, and individuals who were once hidden behind the company’s firewall are conducting all kinds of online conversations outside those walls. For law firm CI analysis, the advent of Web 2.0 has ushered in a whole new era and expanded the abilities to find valuable information that could give the firm a competitive advantage. http://www.abanet.org/lpm/magazine/articles/v35/is7/pg26.shtml [Editor: quite interesting.]
Whatever happened to Second Life? (PC Pro, 4 Jan 2010) - It’s desolate, dirty, and sex is outcast to a separate island. Barry Collins returns to Second Life to find out what went wrong, and why it’s raking in more cash than ever before. Three years ago, I underwent one of the most eye-opening experiences of my life – and I barely even left the office. I spent a week virtually living and breathing inside Second Life: the massively multiplayer online world that contains everything from lottery games to libraries, penthouses to pubs, skyscrapers to surrogacy clinics. Oh, and an awful lot of virtual sex. At its peak, the Second Life economy had more money swilling about than several third-world countries. It had even produced its own millionaire, Anshe Chung, who made a very real fortune from buying and selling property that existed only on Second Life servers. Three years on, and the hype has been extinguished. Second Life has seen its status as the web wonderchild supplanted by Facebook and Twitter. The newspapers have forgotten about it, the Reuters correspondent has long since cleared his virtual desk, and you can walk confidently around tech trade shows without a ponytailed “Web 2.0 Consultant” offering to put your company on the Second Life map for the price of a company car. http://www.pcpro.co.uk/features/354457/whatever-happened-to-second-life
FTC set to examine cloud computing (The Hill, 4 Jan 2010) - The Federal Trade Commission (FTC) is investigating the privacy and security implications of cloud computing, according to a recent filing with the Federal Communications Commission. The FTC, which shares jurisdiction over broadband issues, says it recognizes the potential cost-savings cloud computing can provide. “However, the storage of data on remote computers may also raise privacy and security concerns for consumers,” wrote David Vladeck, who helms the FTC’s Consumer Protection Bureau. http://thehill.com/blogs/hillicon-valley/technology/74209-ftc-examining-cloud-computing
Calif. Federal Judge OKs Posting of Prop 8 Trial to YouTube (Law.com, 7 Jan 2010) - Chief Judge Vaughn Walker made it clear Wednesday that he will forge ahead with televising the federal challenge to Prop 8. But he also signaled he doesn’t want to be the next Lance Ito. The trial, which begins on Monday, will be filmed by court personnel, Walker ruled, but it will not be broadcast live. Instead, the recording will be posted on a YouTube page at some point after the close of the day’s proceedings. Walker declined an offer from In Session (formerly Court TV) to broadcast live, with its own crew. http://www.law.com/jsp/article.jsp?id=1202437693425&rss=newswire&hbxlogin=1
Ohio Court Gives Criminals Another Reason to Love Their Smart (and Not-So-Smart) Phones (Steptoe & Johnson’s E-Commerce Law Week, 8 Jan 2010) - The Supreme Court of Ohio ruled last month in State v. Smith that the warrantless search of a cell phone seized incident to a lawful arrest is prohibited by the Fourth Amendment. The court refused to extend to cell phones the normal doctrine allowing police to search an arrestee’s person and containers found on or near him without obtaining a search warrant, holding that a cell phone is not a “closed container” because it does not hold other “physical objects.” The court also found that cell phones’ “ability to store large amounts of private data gives their users a reasonable and justifiable expectation of a higher level of privacy in the information they contain,” and that police therefore must “obtain a warrant before intruding into the phone’s contents.” http://www.steptoe.com/publications-6558.html
Internet pirates find ‘bulletproof’ havens for illegal file sharing (The Guardian, 5 Jan 2010) – Internet pirates are moving away from safe havens such as Sweden to new territories that include China and Ukraine, as they try to avoid prosecution for illegal file sharing, according to experts. For several years, piracy groups that run services allowing music, video and software to be illegally shared online have been using legal loopholes across a wide range of countries as a way of escaping prosecution for copyright infringement. In the last year there has been a significant shift, say piracy experts, as the groups have worked to stay beyond the reach of western law enforcement. The change is rooted in the evolution of “bulletproof hosting”, or website provision by companies that make a virtue of being impervious to legal threats and blocks. Not all bulletproof services are linked to illegal activities, but they are popular among criminal groups, spammers and file-sharing services. Not every controversial service has fled beyond traditional jurisdictions, however. Some problematic hosts still exist in the US, such as the infamous host McColo, which was based in San Jose, California, and remained in operation until last year. Pirate Bay, after its brief excursion to Ukraine, is now run out of a Dutch data centre called CyberBunker, which is based in an old nuclear facility of the 1950s, about 120 miles south-west of Amsterdam. Research published last year showed that most bulletproof hosts are located in China, where criminals are able to take advantage of low costs and legal loopholes to avoid prosecution. http://www.guardian.co.uk/technology/2010/jan/05/internet-piracy-bulletproof
**** NOTED PODCASTS ****
The Rewilding: A Metaphor (IT Conversations; by Karl Schroeder; 24 July 2009) - Long ago, when we started using technology, we lacked the collective cognizance to define the limits we wanted to exercise control within, so we tried controlling everything. The notion of technological advancement was about the degree of control exercised over nature. However, the modern trend indicates an inversion of that philosophy. According to sci-fi author Karl Schroeder, the world is now reaching a point where we are learning when to let go, and that, he says, is working well. http://itc.conversationsnetwork.org/shows/detail4274.html and http://itc.conversationsnetwork.org/audio/download/ITC.oscon-Schroeder-2009.07.24.mp3 [Editor: 15 minute podcast, relevant to Web 2.0 debates about employer loss of control and threats from too much sharing (e.g., at 8m45s and the discussion about “organizational rewilding”. Talks about knowing when to control, and knowing when to leave alone. ONE STAR.]
**** RESOURCES ****
An E-Book Buyer’s Guide to Privacy (EFF, 21 Dec 2009) - As we count down to end of 2009, the emerging star of this year’s holiday shopping season is shaping up to be the electronic book reader (or e-reader). From Amazon’s Kindle to Barnes and Noble’s forthcoming Nook, e-readers are starting to transform how we buy and read books in the same way mp3s changed how we buy and listen to music. Unfortunately, e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users’ reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why. As a first step towards addressing these problems, EFF has created a first draft of our Buyer’s Guide to E-Book Privacy. We’ve examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share. http://www.eff.org/deeplinks/2009/12/e-book-privacy
Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping (Congressional Research Service, 5 Dec 2009) - This report provides an overview of federal law governing wiretapping and electronic eavesdropping. It also appends citations to state law in the area and contains a bibliography of legal commentary as well as the text of the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA). It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. Violations can result in imprisonment for not more than five years; fines up to $250,000 (up to $500,000 for organizations); in civil liability for damages, attorneys’ fees and possibly punitive damages; in disciplinary action against any attorneys involved; and in suppression of any derivative evidence. Congress has created separate but comparable protective schemes for electronic communications (e.g., e-mail) and against the surreptitious use of telephone call monitoring practices such as pen registers and trap and trace devices. Each of these protective schemes comes with a procedural mechanism to afford limited law enforcement access to private communications and communications records under conditions consistent with the dictates of the Fourth Amendment. The government has been given narrowly confined authority to engage in electronic surveillance, conduct physical searches, install and use pen registers and trap and trace devices for law enforcement purposes under the Electronic Communications Privacy Act and for purposes of foreign intelligence gathering under the Foreign Intelligence Surveillance Act. Two FISA provisions, born in the USA PATRIOT Act and dealing with roving wiretaps (section 206) and business records (section 215), are scheduled to expire on December 31, 2009. This report includes a brief summary of the expired Protect America Act, P.L. 110-55 and of the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, P.L. 110-261 (H.R. 6304). It is available in an abridged form without footnotes, quotations, or appendices as CRS Report 98-327, Privacy: An Abbreviated Outline of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by Gina Stevens and Charles Doyle. http://assets.opencrs.com/rpts/98-326_20091203.pdf
The Growing Wave of Data Breach Litigation (Risk Management, December 2009) - Data breaches-the theft, loss or unintended exposure of personally identifiable information-have compromised hundreds of millions of personal records in recent years. In 2009, the trend continued with two of the largest breaches in history. In January, as many as 100 million credit card records were exposed when it was discovered that hackers broke into the network of credit card processor Heartland Payment Systems. And in October, the personal information of more than 70 million U.S. military veterans was compromised when an improperly erased hard drive was sent out for repair. These breaches, and others like them, only scratch the surface of the problem. A study by Gartner Inc. found that financial fraud affected 7.5% of all Americans in 2008, and data breaches spawned 19% of that fraud. The Identity Theft Resource Center (ITRC) reported that data breaches in 2008 increased by 47% over the previous year. And by November, the ITRC had reported more than 400 breaches affecting 220 million records in 2009-an amount of records nearly equal to the previous four years combined. Given the scope of the problem, it should be no surprise that data breaches have led to expensive litigation, including attempted class actions. So far, however, these actions have met with little legal success (as distinguished by sizable costs and settlements). But considering the scope of the risk, it would be wise for companies to be familiar with the important decisions in this area. http://www.rmmagazine.com/MGTemplate.cfm?Section=RMMagazine&NavMenuID=128&template=/Magazine/DisplayMagazines.cfm&IssueID=341&AID=4015&Volume=56&ShowArticle=1
**** FUN ****
The Ten Best Viral Videos of the Decade (Salon.com, 26 Dec 2009) - Long ago — the 90s — the word “viral” applied strictly to illness, and we had only an inkling of how awesome it is to dance at weddings, defy gravity and laugh at the funny things cats and toddlers do. This decade changed that. Though we never want to hear words such as “Miss South Carolina,” “inspirational comedian“ or “Numa Numa“ again, and while we sometimes wonder if those hours spent engrossed in “Planet Unicorn“ were hours squandered, we fully cop to a deep, abiding love for viral video. And what’s not to love? It’s a few moments of the crazy, the joyous and the jaw-dropping plopped into our daily grind, minutes made all the sweeter for their “You have GOT to see this” power to bring people together. These are the ones that made us click Replay again and again. http://www.salon.com/mwt/feature/2009/12/26/decade_viral_video [Editor: my favorite is under Honorable Mentions – “Where the Hell is Matt”]
**** LOOKING BACK - MIRLN TEN YEARS AGO ****
LEGAL BRIEF: LAWYERS CLAIM CREDIT FOR AVERTING Y2K DISASTER -- The gentle calendar change on 1 January 2000 having dashed the expectation that the legal community would cash in on a flood of liability lawsuits related to the Y2K computer problem, some lawyers are taking a little credit for saving the world from disaster. Ronald N. Weikers, an attorney who coauthored the book, “Litigating Year 2000 Cases,” says: ““Nobody is going to believe that lawyers are heroes in this case, but we had something to do with it. It’s clear to me and a lot of attorneys that by raising red flags in advance we helped avoid bigger problems down the road.” But Weikers hasn’t given up all hope for a little new business, and tells people who are smug about surviving January 1st that “they shouldn’t rest so assured. They should wait a few months. There’s going to be a flurry of activity.” (Washington Post 10 Jan 2000) http://www.washingtonpost.com/wp-dyn/business/A23690-2000Jan9.html Related blog posting from 8 Jan 2010: http://www.TheCorporateCounsel.net/Blog/2010/01/y2k-tcc-the-november-doc.html
**** NOTES ****
MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC. Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
Subscribe to:
Posts (Atom)